[ previous ] [ next ] [ threads ]
 From:  "Jonathan Lydall" <jonathan dot lydall at za dot ods dot co dot za>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  =?us-ascii?Q?M0n0wall_/_Cisco_Router_IPSEC_tunnel_doesn't_seem_to_come_ba?= =?us-ascii?Q?ck_up_automaticly_after_network_problems?=
 Date:  Tue, 21 Feb 2006 00:53:20 +0200

After some trial and error, I managed to create an IPSec tunnel between a
m0n0wall box and a Cisco Router and traffic was flowing perfectly between
the two networks. I went home, and left a technician on the remote side to
set up his Windows Server in London to talk to our Windows Server here in
Johannesburg, South Africa. He called me about an hour later informing me
they had a power outage and the tunnel wasn't coming back up, I assumed I
had forgotten to write the Cisco router's config, but turns out I had
actually written it, but what I needed to do was restart the IPSec tunnel on
my m0n0wall box.

After Googling and searching through m0n0wall's archives I found that dasz,
Mark and Sean seem to have the same/similar issue
(http://m0n0.ch/wall/list/showmsg.php?id=231/34), but didn't seem to end up
finding a solution.

Seeing as I battled to find exact documentation for a m0n0wall IPSec
connection specifically to a Cisco Router, figured I may as well to post it
here for the next person trying the same thing, or something similiar:

Router is a Cisco 837 from looks of things:
Cisco C837 (MPC857DSL) processor (revision 0x501) with 44237K/4915K bytes of
Processor board ID FOC08493FWZ (1775087769), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
4 FastEthernet interfaces
1 ATM interface
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Johannesburg LAN (m0n0wall on leased line) uses
London LAN (Cisco ADSL Router) uses

Here is the relevant config in regards to the IPSEC tunnel for the Cisco
Router, doesn't seem to matter what kind of uplink you have, just that there
is a "crypto map" command on the "public" interface of the device, in my
case dialer1, I have omitted anything that is not really related to the

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <shared-secret> address <m0n0wall-public-ipaddress>

crypto ipsec transform-set trans1 esp-3des esp-md5-hmac

crypto map mymap 1 ipsec-isakmp
 set peer <m0n0wall-public-ipaddres>
 set transform-set trans1
 match address 102

interface Dialer1
 crypto map mymap

access-list 102 permit ip

We have a leased line in Johannesburg with a routed IP configured on the WAN
of the m0n0wall box. This box has been doing 100% trouble-free NAT at this
site for over a year, it has a cd-rom with m0n0wall on and a floppy disk for
the config. I burnt the latest m0n0wall to CD, popped it in, restarted and
the box just worked with the newer version :), I then selected IPSec under
VPN, hit the "+" button, and used the following options:

Interface: WAN
Local subnet: Type: LAN Subnet
Remote subnet:
Remote Gateway: <london-cisco-router-public-ip>
Description: London Office

Phase 1:

Negotiation Mode: aggressive
My identifier: My IP address:
Encryption algorithm: 3DES
Hash algorithm: MD5
DH key group: 2
Lifetime: 14400
Authentication method: pre-shared key

Phase 2:

Protocol: ESP
Encryption algorithms: only 3DES selected
Hash algorithms: only MD5 selected
PFS key group: off
Lifetime: 14400

While I have done routing and NAT on Cisco's for several years, I'm no Cisco
certified engineer or anything, and never done IPSec before, so took me a
while to work out the Cisco router config, but I seemed to get it working in
the end. Problem is that if I do a restart of the Cisco, tunnel won't come
back up until I either restart the m0n0wall box completely or click the
"Save" button in the VPN->IPSec page.

Ideally I need the system to bring itself back up after any interruptions,
so any solution to this problem would be greatly appreciated.

Many Thanks,

Jonathan Lydall